0

I have set up a Symfony based API which is being used by an Angular front end which is totally dependent of it (User registration included)

I have read multiple threads recommending using WSSE or FOSOAuthServerBundle but I'm not sure about the best method ?

If I understood correctly, WSSE has to send for each API request x-wsse headers which make me think it is not the best suited for performance.

About the FOSAuthServerBundle I have never used it and looks a bit complicated to me compared to WSSE, thus that's why I'm asking there before trying to implement it.

I have 2 simple groups of user (basic and admin), what would be the best way to secure my API, additionally providing an easy way to keep user persistence (I mean accesses through the different pages)?

How should it be in the Angular front side ?

Thanks for your help.

Refs: http://blog.tankist.de/blog/2013/07/16/oauth2-explained-part-1-principles-and-terminology/

http://obtao.com/blog/2013/06/configure-wsse-on-symfony-with-fosrestbundle/

adaba
  • 374
  • 1
  • 18

1 Answers1

2

It all depends on what your requirements are.

First of all, OAuth 2 is an authentication mechanism/spec which you can use in combination with sessions/bearer tokens/... This also applies for local accounts (since you want to do user registration).

FOSAuthServerBundle is a bundle to implement the server-side of the OAuth2 specification. This basically means you can expose your OAuth2 side of the API to other applications and allow them to use your accounts to authenticate. Think google login, twitter login, etc but for your own app.

This all has nothing to do with the way you validate / authorize your requests after the initial login has taken place.

Do you want to implement stateless authentication? Then I would recommend using the new JSON Web Token (JWT) specification.

See Symfony Bundle (LexikJWTAuthenticationBundle) and JWT description (JWT.io)

There are many resources on it from the angular side of things and the API part is pretty straightforward.

WSSE does not seem suited to implement in a RESTful API and I have no experience using/implementing it so I cannot comment on it too much.

Bart Van Remortele
  • 254
  • 2
  • 18
  • 1
    Would definitely concur with going down the JWT / LexikJWTAuthenticationBundle route. Unless you specifically need some of the extra features, WSSE and OAuth are really overkill for most APIs. – Maltronic Jun 14 '15 at 13:34
  • @BartVanRemortele not sure why my comment was removed by moderators :-S Well, it's not authentication protocol at all. It does not authenticate a user, it's the purpose of an IP, which oauth2 does not provide facilities for. – zerkms Jun 14 '15 at 22:42
  • @BartVanRemortele oauth *can* authorize authentication, that's correct. But it does not have to (and nothing in the standard mentions authentication, like at all). Every dog is a mammal, not every mammal is a dog. "How can you use OAuth to authorise when you have not validated who a person is?" --- actually, very easily. An auth token does not have to be associated with any user, any account or anything similar. "It's an authorization protocol to authorize third party apps to verify the identity of a user." --- it's not. It's to authorized 3rd party apps to act on behalf, not authenticate. – zerkms Jun 15 '15 at 08:14
  • "The OAuth 2.0 **authorization framework** enables a third-party application to obtain limited access to an HTTP service" And I'm done here. Have fun. – zerkms Jun 15 '15 at 09:27